Security Economics

Overview

I'm an active researcher in security economics. As a discipline, security economics helps to answer questions such as these:

Why has Internet security worsened even as investment has increased?

According to a report from the US Secret Service/Verizon, 64% of data breaches could have been prevented using "simple and cheap" countermeasures. Why aren't they deployed?

How much should firms invest to protect their IT systems?

How can the past history of cyber incidents guide future investments in defense?

Economics puts the challenges facing information security into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. In order to solve the problems of growing vulnerability and increasing crime, solutions must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. This requires a technical comprehension of security threats combined with an economic perspective to uncover the strategies employed by attackers and defenders.

Research in security economics includes the development of theoretical models to study the strategic interaction of attackers and defeners. It also includes empirical approaches to quantify security threats more accurately. This page includes some of my papers including introductory surveys, policy recommdendations, empirical analysis and modeling. It also lists some publication venues for security economics research.

Security Economics Conferences

Due to its interdisciplinary nature, it can be difficult to keep track of all the venues for publishing research in the field of security economics. Below is a partial list of conferences that encourage papers on the economics of information security.

WEIS, the Workshop on the Economics of Information Security. WEIS is the flagship conference for research on the economics of information security, held in June each year. WEIS 2015 will be held in Delft, Netherlands on June 22-23. All papers from past WEIS conferences are available on their respective websites (WEIS 2002-2014). You can also find past proceedings on DBLP.

Financial Crypto (FC). In addition to applied cryptography papers, FC encourages submissions on the economics of information security, especially if it relates to financial security or fraud. Papers from past conferences are linked to from the IFCA website.

The Journal of Cybersecurity (JCS) is a new open-access publication from Oxford University Press, developed specifically to deliver a venue that bridges the many different disciplines and specialties involving information security. Selected papers from WEIS conferences will be published in JCS, beginning in 2015.